misc: check order_by parameter is a correct identifier (#42825)
This commit is contained in:
parent
ad6be53657
commit
c34a405504
|
@ -505,6 +505,9 @@ def test_backoffice_listing_order(pub):
|
|||
ids = [x.strip('/') for x in re.findall(r'data-link="(.*?)"', resp.text)]
|
||||
assert ids == list(reversed(last_update_time_order))
|
||||
|
||||
# try invalid values
|
||||
resp = app.get('/backoffice/management/form-title/?order_by=toto.plop', status=400)
|
||||
|
||||
|
||||
def test_backoffice_listing_anonymised(pub):
|
||||
if not pub.is_using_postgresql():
|
||||
|
|
|
@ -263,8 +263,8 @@ class ApiFormsDirectory(Directory):
|
|||
limit = misc.get_int_or_400(get_request().form.get('limit',
|
||||
get_publisher().get_site_option('default-page-size') or 20))
|
||||
offset = misc.get_int_or_400(get_request().form.get('offset', 0))
|
||||
order_by = get_request().form.get('order_by',
|
||||
get_publisher().get_site_option('default-sort-order') or '-receipt_time')
|
||||
order_by = misc.get_order_by_or_400(get_request().form.get('order_by',
|
||||
get_publisher().get_site_option('default-sort-order') or '-receipt_time'))
|
||||
|
||||
formdatas = sql.AnyFormData.select(criterias, order_by=order_by, limit=limit, offset=offset)
|
||||
if get_query_flag('ignore-roles'):
|
||||
|
|
|
@ -359,7 +359,7 @@ class UsersViewDirectory(Directory):
|
|||
limit = misc.get_int_or_400(get_request().form.get('limit',
|
||||
get_publisher().get_site_option('default-page-size')) or 20)
|
||||
offset = misc.get_int_or_400(get_request().form.get('offset', 0))
|
||||
order_by = get_request().form.get('order_by', None) or 'name'
|
||||
order_by = misc.get_order_by_or_400(get_request().form.get('order_by', None)) or 'name'
|
||||
query = get_request().form.get('q')
|
||||
|
||||
get_response().filter['sidebar'] = self.get_search_sidebar(
|
||||
|
@ -860,8 +860,8 @@ class ManagementDirectory(Directory):
|
|||
limit = misc.get_int_or_400(get_request().form.get('limit',
|
||||
get_publisher().get_site_option('default-page-size') or 20))
|
||||
offset = misc.get_int_or_400(get_request().form.get('offset', 0))
|
||||
order_by = get_request().form.get('order_by',
|
||||
get_publisher().get_site_option('default-sort-order') or '-receipt_time')
|
||||
order_by = misc.get_order_by_or_400(get_request().form.get('order_by',
|
||||
get_publisher().get_site_option('default-sort-order') or '-receipt_time'))
|
||||
|
||||
criterias = self.get_global_listing_criterias()
|
||||
criterias.append(Null('anonymised')) # exclude anonymised forms
|
||||
|
@ -1681,7 +1681,7 @@ class FormPage(Directory):
|
|||
else:
|
||||
limit = misc.get_int_or_400(get_request().form.get('limit', 0))
|
||||
offset = misc.get_int_or_400(get_request().form.get('offset', 0))
|
||||
order_by = get_request().form.get('order_by')
|
||||
order_by = misc.get_order_by_or_400(get_request().form.get('order_by'))
|
||||
if self.view and not order_by:
|
||||
order_by = self.view.order_by
|
||||
if not order_by:
|
||||
|
@ -2057,7 +2057,7 @@ class FormPage(Directory):
|
|||
user = get_user_from_api_query_string() or get_request().user if not anonymise else None
|
||||
selected_filter = self.get_filter_from_query(default='all')
|
||||
criterias = self.get_criterias_from_query()
|
||||
order_by = get_request().form.get('order_by', None)
|
||||
order_by = misc.get_order_by_or_400(get_request().form.get('order_by', None))
|
||||
if self.view and not order_by:
|
||||
order_by = self.view.order_by
|
||||
query = get_request().form.get('q') if not anonymise else None
|
||||
|
|
|
@ -807,3 +807,11 @@ def get_int_or_400(value):
|
|||
return int(value)
|
||||
except ValueError:
|
||||
raise RequestError()
|
||||
|
||||
|
||||
def get_order_by_or_400(value):
|
||||
if value is None:
|
||||
return None
|
||||
if not re.match(r'-?[a-z_-]+$', value):
|
||||
raise RequestError()
|
||||
return value
|
||||
|
|
Loading…
Reference in New Issue